App-Scoop Knowledge Blog​

​Experts estimate that there are more than 40,000 health related applications. That’s a lot of apps for an industry that is just starting to blossom in the market. This number will further grow if Apple decides to launch the “rumored” Healthbook.As per the latest rules and regulations, any health app that stores or processes personal health information, launched in the US must be HIPAA compliant. HIPAA stands for Health Insurance Portability and Accountability Act. The law protects all “individually identifiable health information” or PHI that stands for Protected Health Information. It basically, collects and protects your health information and medical records. So, before you plan to develop a health app, you must ensure that it is HIPAA compliant.

​Apps such as Google Fit, Nike Training that are collecting information like calorie count, weight loss progress, body stats, etc. do not come under the HIPAA compliancy. This data is not considered as PHI (Personal Health Information).On the other hand, if you use any app that holds information such as your medical records, billing information, information about your health insurance, or your health file, the app should be HIPAA compliant. When an individual has received services from a covered identity, it’s also considered as PHI. The name and address of the patient in medical records is also considered PHI. For example, Truevault system is HIPAA compliant because it stores PHI, such as an individual’s medical records.

Making Your App HIPAA Compliant

There are a few things that you need to consider while making your app HIPAA compliant:

​Storage: When you enter the data, it is usually stored in the device’s memory. Hence, the app should make sure that the data is fully encrypted. This information should be stored in the encrypted or else the app would be breaching security as a health service provider and would be considered out of HIPAA compliance standard.“HIPAA compliance is multifaceted. When you’re thinking about cloud storage, your first concern should be the Physical Safeguards required by HIPAA. If your hosting provider isn’t able to meet these requirements (and sign a BAA attesting as much), you need to find a new hosting provider. Once you have a solid foundation, you have a long list of rules to meet; it’s a lot more work than building a simple Rails app on Heroku.” said Kate Borten in an interview with Blue Label Labs.

​Using Transport Layer Security: Also, when the data is being transferred to the server from a device, the app service provider must TLS. They must also pin the security certificate if they see a possibility of the device being used on a platform they can’t trust or compromised network. Privacy and security of medical data is first priority to make it HIPAA compliant.

Email – Not A Secure Way to Send PHI: Since, an email is a very generic communication platform; it is advisable not to use the same to convey PHI. Sending PHI through email is a HIPAA violation. But if you do wish to communicate through email, it should be done via a HIPAA compliant email service provider.

Database/API calls: There are two entities, doctor’s office and business associate that need to be covered under the HIPAA compliance. If your app is not compliant with these entities, you will not be able to give your app access to make API or database calls. You can’t even search and read anything within their database.

​

Push Notification: As we already know, mobile phones are not completely secure devices. The native push notifications are used by many applications to inform users about updates and changes. This runs the risk of violating the privacy regulations that are mentioned in the HIPAA.An app can be completely HIPAA compliant but sometimes a few things are beyond control such as physical phone or laptop security. For example, the data is lost due to theft of your electronic device or someone hacking into your electronic device. Although, you can be extra careful by ensuring that you set a passcode lock setting whose password only you would know. Or in case, of your electronic equipment being lost or stolen, to take advantage of using built-in functionality of your device.

Conclusion

A mobile app developer that has HIPAA obligations is actually an inquiry based on facts. A small change done to the functionality or business models can lead to a different conclusion on whether HIPAA applies or not. Hence, the app developer need to make the boundaries clear and determine whether or not it is going to store PHI, and hence, if it should be HIPAA compliant. If incase, the business model changes, the app developer should review if it again to determine if the app needs to be HIPAA compliant.